To support hybrid cloud and extended data center environments, KEMP LoadMaster implements IPsec VPN tunnels to secure and route traffic to remote locations. This capability supports a number of operational scenarios such as dynamic scaling via ‘cloud bursting’ and application delivery from multiple data centers. IPsec is an industry standard and is offered as a secure connectivity option on cloud services from Microsoft, Amazon and Google. IPsec is also available on server platforms such as Windows and Linux and also on network routing appliances.
Example Scenario – Cloud bursting to Microsoft Azure
Cloud bursting allows organizations to dynamically scale applications by utilizing resources on cloud services that can be brought in and out of service as required to complement the on-premise application capacity. In the following cloud bursting environment, the application virtual service on LoadMaster is configured to forward traffic both to local servers and to servers located in the Microsoft Azure Cloud so that the application workload can be balanced between on-premise and cloud.
Under a light workload, the servers in the Azure cloud are turned off and the LoadMaster will not forward any traffic to these servers. When the traffic load increases, the Azure servers can be spun up and once operational, the LoadMaster will balance the workload across local and Azure servers. The IPsec VPN provides secure routing of traffic to any host in the connected Azure ‘Cloud Service’.
VPN (IPSec) services are included in all LoadMaster load balancers and VPN connections are easily configured via the web management interface. LoadMaster includes diagnostic logs to troubleshoot VPN connectivity issues while the packet trace facility can capture VPN traffic (IKE, AH, ESP) for more in-depth diagnostics.
Configure Site-To-Site VPN
There are two options for creating and configuring a virtual network:
- Configure the network manually by using a network configuration file
- Use the wizard in the Azure Management Portal
It is recommended to use the wizard the first time a virtual network is created. The wizard creates a network configuration file (.xml file) for the virtual network. After creating the first virtual network using the Management Portal, the network configuration file can be exported and used as a template to create additional virtual networks.
Follow the steps below to configure a site-to-site VPN in the Azure Management Portal:
These steps are correct at the time of writing this document. These steps may change without our knowledge. Please consult the Microsoft documentation for the latest steps.
- Log in to the Azure Management portal.
- Click New.
- Click Network Services and then click Virtual Network.
- Click Custom Create.
- Enter the Name of the virtual network, for example EastUSVNet.
This network name will be used when deploying the Virtual Machines and Platform as a Service (PaaS) instances so it is recommended to not enter a complicated name here.
- Specify the Location.
The location is directly related to the physical location (region) where the resources (Virtual Machines) will reside. For example, if the Virtual Machines that will be deployed to this network will be physically located in East US, select that location. The region associated with the virtual network cannot be changed after it is created.
- On the DNS Servers and VPN Connectivity page, enter the following information and then click the Next arrow:
- DNS Servers: Enter the DNS server name and IP address, or select a previously registered DNS server from the drop-down menu.
This setting does not create a DNS server. It allows the specification of the DNS servers to be used for name resolution for this virtual network.
- Configure Site-To-Site VPN: Select the check box called Configure a site-to-site VPN.
- Local Network: A local network represents the physical on-premises location. Select a local network that has previously been created, or create a new local network.
If an existing local network was selected, go to the Local Networksconfiguration page and ensure that the VPN Device IP address (public-facing IPv4 address for the VPN device) is accurate for this local network.
- If an existing local network was selected, skip this step. If creating a new local network, the Site-To-Site Connectivity page will appear. Enter the following information and then click the Next arrow:
- Name: The name of the local (on-premises) network site.
- VPN Device IP Address: This is the public-facing IPv4 address of the on-premises VPN device used to connect to Azure.
- Address Space: Specify the address range(s) (including starting IP and CIDR) to be sent through the virtual network gateway to the local on-premises location. If a destination IP address falls between the ranges specified here, it will be routed through the virtual network gateway.
- Add address space: If there are multiple address ranges to be sent through the virtual network gateway, this is where each additional address range is specified. Ranges can be added or removed later as needed, on the Local Network page.
- On the Virtual Network Address Spaces page, specify the address range to be used for the virtual network. Enter the following information, and then click the checkmark to configure the network:
These are the Dynamic IP addresses (DIPS) that will be assigned to the Virtual Machines and other role instances that are deployed to this virtual network. There are a few rules regarding the virtual network address space - please refer to the Microsoft - Virtual Network Address Spaces page for more information. It is particularly important to select a range that does not overlap with any of the ranges that are in use for the on-premises network. A range of IP addresses might need to be carved out from the on-premises network address space to be used for the virtual network.
- Address Space: Include the starting IP address and the address count.
Verify that the address spaces specified do not overlap with any of the address spaces on the on-premises network.
- Add subnet: Include the starting IP address and address count.
Additional subnets are not required, but a separate subnet may be needed for Virtual Machines that will have static DIPS. Or the Virtual Machines might need to be in a subnet that is separate from the other role instances.
- Add gateway subnet: Click to add the gateway subnet. The gateway subnet is used only for the virtual network gateway and is required for this configuration.
- Click the checkmark on the bottom of the page and the virtual network will begin to create. When it completes, Created will be shown under Status on the Networks page in the Azure Management Portal.
- Next, configure the virtual network gateway to create a secure site-to-site connection. Refer toMicrosoft - Configure a Virtual Network Gateway in the Management Portalfor instructions on how to do this.
- When you get to the Configure your VPN Device section, refer to the section below for instructions on how to configure the LoadMaster.